Tag Archive for: weaponized

The FBI Disrupted Russian Gru Botnet Malware Through a Court Order Before It Could Be Weaponized

/in


The Federal Bureau of Investigation (FBI) said it shut down a Russian GRU botnet malware through a court-authorized operation before it could be weaponized.

The botnet targeted Firebox firewall hardware used by many small and midsized businesses from WatchGuard Technologies.

The DOJ said the operation involved copying and removing “malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.”

U.S. Attorney General Merrick Garland also disclosed that US authorities worked with WatchGuard to analyze the malware, remove it before it could be used, and create detection and remediation techniques.

Russian GRU botnet malware linked to Sandworm APT

FBI said the botnet used Cyclops Blink malware associated with Sandworm (also Voodoo Bear) team. The group is associated with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

“This GRU team, Sandworm, had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices—these are security appliances, mainly firewalls, that are typically deployed in home office environments and in small to mid-size businesses,” FBI Director Christopher Wray, said in a press statement.

Sandworm hacking group is responsible for large-scale cyber attacks including the worldwide NotPetya campaign, Ukraine’s power grid shutdown in 2015, the French presidential campaign hack, the 2018 Winter Olympics Destroyer, and attacks on the Organization for the Prohibition of Chemical Weapons (OPCW).

The Cyclops Blink malware emerged in 2019 as a replacement for the VPNFilter malware that the Justice Department brought down through another court-authorized action in 2018.

On Feb 3, 2022, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued an advisory on Cyclops Blink malware targeting WatchGuard and Asus networking devices.

Similarly, researchers from Trend Micro warned in March 2022 that the Cyclops Blink malware targeted devices in non-critical infrastructure organizations to…

Source…

Trend says hackers have weaponized SpringShell to install Mirai malware

/in


Trend says hackers have weaponized SpringShell to install Mirai malware

Getty Images

Researchers on Friday said that hackers are exploiting the recently discovered SpringShell vulnerability to successfully infect vulnerable Internet of Things devices with Mirai, an open source piece of malware that wrangles routers and other network-connected devices into sprawling botnets.

When SpringShell (also known as Spring4Shell) came to light last Sunday, some reports compared it to Log4Shell, the critical zero-day vulnerability in the popular logging utility Log4J that affected a sizable portion of apps on the Internet. That comparison proved to be exaggerated because the configurations required for SpringShell to work were by no means common. To date, there are no real-world apps known to be vulnerable.

Researchers at Trend Micro now say that hackers have developed a weaponized exploit that successfully installs Mirai. A blog post they published didn’t identify the type of device or the CPU used in the infected devices. The post did, however, say a malware file server they found stored multiple variants of the malware for different CPU architectures.

Trend Micro

“We observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region,” Trend Micro researchers Deep Patel, Nitesh Surana, and Ashish Verma wrote. The exploits allow threat actors to download Mirai to the “/tmp” folder of the device and execute it following a permission change using “chmod.”

The attacks began appearing in researchers’ honeypots early this month. Most of the vulnerable setups were configured to these dependencies:

  • Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher 
  • Apache Tomcat
  • Spring-webmvc or spring-webflux dependency
  • Using Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)
  • Deployable, packaged as a web application archive (WAR)

Trend said the success the hackers had in weaponizing the exploit was largely due to…

Source…

RiskSense Ransomware Spotlight Report Reveals Surge in Weaponized Vulnerabilities, New Targets and RaaS

/in


RiskSense Ransomware Spotlight Report Reveals Surge in Weaponized Vulnerabilities, New Targets and RaaS

Source…

Google Services Weaponized to Bypass Security in Phishing, BEC Campaigns – Threatpost

/in



Google Services Weaponized to Bypass Security in Phishing, BEC Campaigns  Threatpost

Source…